Traditional network security methods use “malware signatures” or “malicious behaviors” derived from a specific threat or threat type to scan a component of a network (such as a client device or server) or data incoming to the network (such as an incoming email or a downloaded file) for the specific malware signature. In this way, known threats that enter, or are present within, a network are found and removed.
However, not all malware can be identified and analyzed in a timely manner. As with biological viruses, computer viruses evolve (whether through polymorphic design concepts or direct developer intervention) and adapt to the countermeasures used to suppress them. As a result, not all malware has a corresponding signature needed to protect a network from infection. This evolution mechanism (as well as other mechanisms) leads to a false-negative inspection result in which malware (or a transmission that includes malware) is identified as safe. This example illustrates that malware signature generation and maintenance is not only difficult and resource intensive, but also inaccurate in that the signatures often lag the threats.
Furthermore, traditional signature-based network security protocols are known to not be completely effective in light of the increasingly open and ubiquitous use of mobile computing devices on multiple networks. For example, a device (e.g., a laptop or tablet) associated with a network protected by traditional signature-based security protocols can also easily be used outside of a network. If the device is infected, it can become a vector for transmitting the infection to other systems attached to the network upon reconnection.
As alluded above, generating malware signatures and applying the signatures to protect a network is resource intensive. Generally, creating malware signatures uses significant computing analysis and engineering to identify the various threats and generate corresponding signatures. Once created, most (if not all) client-level transmissions into and out of a network are monitored to identify whether malware is present. This client-level monitoring consumes a significant amount of computing resources. Furthermore, many false-positive detections are generated from signatures that incorrectly identify legitimate traffic as malware, thus consuming even more computing resources.
As a result, despite the significant effort used to generate and maintain malware signatures, expand knowledge of malicious behaviors, and respond to false-positive malware detections, networks, and systems and devices connected thereto, are still infected because of the inherent deficiencies in conventional network protection methods.